Thailand’s Digital Government Development Agency (DGA) has released drafts of two pivotal documents to guide Thai government agencies in adopting cloud technology and classifying data for cloud usage. These draft guidelines, open for public hearing through August 12, 2025, are part of the national “Go Cloud First” policy, which aims to accelerate digital transformation, improve efficiency, and ensure robust data security across the public sector. The new standards will have significant implications for both government agencies and cloud service providers operating in Thailand.
Highlights of the draft guidelines are presented below.
Government Cloud Usage Guidelines
- Cloud-first transformation: All government agencies are directed to prioritize cloud solutions for new IT projects, in line with the cabinet’s “Go Cloud First” policy.
- Cloud model selection: Agencies must assess their needs and select the most appropriate cloud deployment model—public, private, hybrid, or community cloud—based on the sensitivity of the data and operational requirements.
- Service types: The guidelines provide criteria for choosing between Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), emphasizing the importance of using standard, non-customized services where possible.
- Cost management: Agencies are required to plan and separate cloud-related expenses, ensuring transparency and efficient budget allocation.
- Cloud migration: The guidelines outline the steps for migrating to the cloud and highlight the role of cloud service providers in facilitating the process, including supporting innovation and enabling smooth exit strategies.
- Procurement compliance: All cloud procurement must comply with public sector procurement laws and regulations. Only providers meeting government-mandated standards can be selected.
- Security and shared responsibility: The guidelines clarify the division of security responsibilities between cloud providers and government agencies. While providers manage infrastructure security, agencies remain responsible for data, application, and access controls.
- Legal framework: Agencies must comply with the Digital Government Administration Act, Cybersecurity Act, Personal Data Protection Act (PDPA), and other relevant laws.
Cloud Data Classification Guidelines
- Three-tier data classification: Government data is classified into three categories:
-
- Official data: Low-sensitivity data, suitable for public cloud storage.
- Protected data: Data that could cause harm if disclosed (e.g., tax, medical, or financial records), recommended to be stored in domestic public clouds with enhanced security.
- Highly protected data: Critical or top-secret data (e.g., national security information), must be stored in sovereign or state-controlled clouds within Thailand, with the highest security measures.
- Data sovereignty and localization: The guidelines stress that all government data is recommended to be stored within Thailand to ensure compliance with local laws and maintain data sovereignty. Exceptions require DGA approval, except for highly protected data. The guidelines also distinguish between data at rest and data in transit or processing. While the focus of localization is on data at rest, data in transit (e.g., during transmission) or temporary processing outside Thailand could be permitted under certain technical and legal safeguards, provided no unauthorized access occurs. A localization exemption could be granted with special approval from the DGA.
- Cross-border data transfers: Storing data outside Thailand is generally prohibited for sensitive information, with limited exceptions subject to DGA approval. The guidelines define “data that should be in Thailand” as data at rest (i.e., data stored on servers), and this does not include data in transit (data being transferred) or data being processed.
- Risk assessment: Agencies must conduct risk assessments based on confidentiality, integrity, and availability to determine the appropriate level of security and cloud deployment.
- Security controls: The guidelines mandate strict access controls, encryption, and compliance with international standards (e.g., ISO 27001) for sensitive data.
- Legal compliance: The framework aligns with the Official Information Act, PDPA, Cybersecurity Act, and other national security regulations.
Implications and Action Steps for Government Agencies and Cloud Providers
Under the new guidelines, cloud adoption will be highly encouraged for government agencies. Any deviation from the cloud-first approach will need to be justified, with the decision-making process documented.
Government agencies who have implemented or are seeking to implement cloud technology will need to review and update their internal policies to align with the new guidelines, implement robust data classification and risk assessment processes for all digital services before migrating data to the cloud, and plan cloud migrations accordingly.
To be eligible for government contracts, cloud service providers will need to meet stringent security, localization, and compliance standards, and prepare for increased scrutiny regarding data residency, security certifications, and service transparency.
Outlook
These new guidelines represent a significant step forward in Thailand’s digital government strategy. All stakeholders should familiarize themselves with the requirements to ensure compliance, minimize risk, and support the secure and efficient adoption of cloud technology in the public sector.